Wi-fi bunfight over hackers at Macca's

Jenneth Orantia

Next time you're using the free wi-fi at McDonald's, watch out for that creepy guy in the corner. He may be trying to steal your passwords and hack into your computer.

Public wi-fi hotspots are increasingly common. Cafes, fast food chains, airports and even buses and trains offer them as a free service. A recent study conducted by McAfee found that nearly two-thirds of the surveyed Australians used free wi-fi.

But just because there's free wi-fi at a trusted establishment, there's no guarantee it's safe to use.

Many public hotspots pass the onus of security to their users. The terms and conditions of the wi-fi at McDonald's say it's up to users to keep their usernames, passwords and other security-based information secure and private.

Advertisement

A security adviser at AVG Australia/New Zealand, Michael McKinnon, says users need to be especially mindful of what they do on a public wi-fi hotspot. "You have to assume from the start that the network cannot be trusted," he says.

The hazards of public wi-fi are two-fold. First, there's a chance that someone is eavesdropping on all the traffic that's passing through the network in the hope of snaring credit card details and other sensitive information. Second, there's the possibility that another user on the network is hacking into any computers that don't have adequate security in place.

Connecting to a hotspot that doesn't require a password is risky. Since it isn't secured with any encryption, nearly all of the internet traffic is sent in plain text and can be intercepted by anyone using openly available software. "You're effectively giving your passwords away," says McKinnon.

This danger was highlighted a couple of years ago when a software developer published a Firefox extension called Firesheep. Unlike other network cracking tools, which require a fairly sophisticated knowledge of computer networking, Firesheep made it child's play to hijack a user's session and gain full access to their social media accounts.

Using a password-protected hotspot helps, as all the network traffic is encrypted using Wired Equivalent Privacy (WEP) or the newer Wi-fi Protected Access (WPA) security, but even these networks can be compromised by a determined hacker.

Ars Technica journalist Dan Goodin recently reported that he was able to crack his neighbour's 10-character numerical password (on a WPA-encrypted wi-fi network) in only 89 minutes using penetration-testing software and a cloud-based password-cracking tool.

Keeping your passwords and other personal data safe can be accomplished by saving any sensitive transactions and website logins for when you're back on your home network. Assuming, of course, that your network is properly secured with a strong password – ideally one that you change on a regular basis.

Failing that, McKinnon recommends connecting to as many sites as possible using its HTTPS address whenever you're on a public wi-fi network. "HTTPS" in the front of the web address means the site is using Secure Sockets Layer (SSL) end-to-end encryption, making any communication with that site very difficult to hack. Internet banking sites and most online stores use SSL as a matter of course.

Some sites, like Twitter and Google, automatically switch to using SSL for the entire session. Facebook has a secure browsing option switched off by default, but it recently began rolling out always-on HTTPS to users in North America – users in other parts of the world are expected to get it shortly.

But securing your web traffic while you're on a public wi-fi network is only half the challenge. The other part is keeping your computer safe from hackers.

"When you're using a laptop on a wireless network, what you're effectively connecting to is not only the internet, but also a local area network where there are other computers," says McKinnon.

"Let's say there's a hacker sitting in the cafe that has just connected to the same wireless network you're connected to. He can actually hack into your computer, download files and transfer files, depending on how weak your computer security is. If your laptop isn't up to date and doesn't have any security software, you're definitely putting yourself at risk."

Having a good personal firewall on your computer is the first defence – it's like having sturdy front door to prevent thieves from walking in and stealing all of your valuables. But you'll also need to stop them from finding a sneaky way in; this is accomplished by ensuring your computer has up-to-date internet security software and all of the latest software updates applied.